HTC has provided a firmware update to fix a "small" security hole which allowed Wi-Fi credentials to be easily stolen.
Security researchers at Open1X outlined the flaw, which they rated as critical. They revealed that HTC and Google were informed of the problem last September.
"There is an issue in certain HTC builds of Android that can expose the user's 802.1X Wi-Fi credentials to any program with basic Wi-Fi permissions," said Chris Hessing and Bret Jordan, security architects at Open1X.
"When this is paired with the internet access permissions, which most applications have, an application could easily send all stored Wi-Fi network credentials (user names, passwords, and SSID information) to a remote server."
HTC said it had developed a fix for the issue.
"Most phones have received this fix already through regular updates and upgrades. However, some phones will need to have the fix manually loaded."
Affected devices are the Desire HD, Glacier, Droid Incredible, Thunderbolt 4G, Sensation, Sensation 4G, Desire S, Evo 3D and Evo 4D.
Despite the big time lapse between the discovery of the issue and HTC releasing a fix, Hessing and Jordan commended the two firms' handling of the problem.
"Google and HTC have been very responsive and good to work with on this issue. Google has made changes to the Android code to help better protect the credential store and HTC has released updates for all currently supported phones and side-loads for all non-supported phones," they said.